Merge pull request #419 from kubescape/image

fill ImageID and ImageTag in applicationprofiles
kubescape · Nov 26, 2024 · 650eb89 · 650eb89
2 parents d489fe4 + 03c74dc
commit 650eb89
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 7 deletions.
diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -406,7 +406,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 				newObject.Spec.EphemeralContainers = addContainers(newObject.Spec.EphemeralContainers, watchedContainer.ContainerNames[utils.EphemeralContainer])
 				// enrich container
 				newContainer := utils.GetApplicationProfileContainer(newObject, watchedContainer.ContainerType, watchedContainer.ContainerIndex)
-				utils.EnrichApplicationProfileContainer(newContainer, capabilities, observedSyscalls, execs, opens, endpoints, rulePolicies)
+				utils.EnrichApplicationProfileContainer(newContainer, capabilities, observedSyscalls, execs, opens, endpoints, rulePolicies, watchedContainer.ImageID, watchedContainer.ImageTag)
 				// try to create object
 				if err := am.storageClient.CreateApplicationProfile(newObject, namespace); err != nil {
 					gotErr = err
@@ -459,7 +459,7 @@ func (am *ApplicationProfileManager) saveProfile(ctx context.Context, watchedCon
 						}
 					}
 					// update it
-					utils.EnrichApplicationProfileContainer(existingContainer, capabilities, observedSyscalls, execs, opens, endpoints, rulePolicies)
+					utils.EnrichApplicationProfileContainer(existingContainer, capabilities, observedSyscalls, execs, opens, endpoints, rulePolicies, watchedContainer.ImageID, watchedContainer.ImageTag)
 					// get existing containers
 					var existingContainers []v1beta1.ApplicationProfileContainer
 					if watchedContainer.ContainerType == utils.Container {
@@ -622,6 +622,8 @@ func (am *ApplicationProfileManager) startApplicationProfiling(ctx context.Conte
 
 	watchedContainer := &utils.WatchedContainerData{
 		ContainerID:      container.Runtime.ContainerID,
+		ImageID:          container.Runtime.ContainerImageDigest,
+		ImageTag:         container.Runtime.ContainerImageName,
 		UpdateDataTicker: time.NewTicker(utils.AddJitter(am.cfg.InitialDelay, am.cfg.MaxJitterPercentage)),
 		SyncChannel:      syncChannel,
 		K8sContainerID:   k8sContainerID,

diff --git a/pkg/networkmanager/v2/network_manager.go b/pkg/networkmanager/v2/network_manager.go
@@ -436,6 +436,8 @@ func (nm *NetworkManager) startNetworkMonitoring(ctx context.Context, container
 
 	watchedContainer := &utils.WatchedContainerData{
 		ContainerID:      container.Runtime.ContainerID,
+		ImageID:          container.Runtime.ContainerImageDigest,
+		ImageTag:         container.Runtime.ContainerImageName,
 		UpdateDataTicker: time.NewTicker(utils.AddJitter(nm.cfg.InitialDelay, nm.cfg.MaxJitterPercentage)),
 		SyncChannel:      syncChannel,
 		K8sContainerID:   k8sContainerID,

diff --git a/pkg/relevancymanager/v1/relevancy_manager.go b/pkg/relevancymanager/v1/relevancy_manager.go
@@ -284,6 +284,8 @@ func (rm *RelevancyManager) startRelevancyProcess(ctx context.Context, container
 
 	watchedContainer := &utils.WatchedContainerData{
 		ContainerID:      container.Runtime.ContainerID,
+		ImageID:          container.Runtime.ContainerImageDigest,
+		ImageTag:         container.Runtime.ContainerImageName,
 		UpdateDataTicker: time.NewTicker(utils.AddJitter(rm.cfg.InitialDelay, rm.cfg.MaxJitterPercentage)),
 		SyncChannel:      make(chan error, 10),
 		K8sContainerID:   k8sContainerID,

diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go
@@ -213,6 +213,8 @@ func (rm *RuleManager) startRuleManager(ctx context.Context, container *containe
 
 	watchedContainer := &utils.WatchedContainerData{
 		ContainerID:    container.Runtime.ContainerID,
+		ImageID:        container.Runtime.ContainerImageDigest,
+		ImageTag:       container.Runtime.ContainerImageName,
 		SyncChannel:    syncChannel,
 		K8sContainerID: k8sContainerID,
 		NsMntId:        container.Mntns,

diff --git a/pkg/utils/applicationprofile.go b/pkg/utils/applicationprofile.go
@@ -84,7 +84,11 @@ func CreateCapabilitiesPatchOperations(capabilities, syscalls []string, execs ma
 	return profileOperations
 }
 
-func EnrichApplicationProfileContainer(container *v1beta1.ApplicationProfileContainer, observedCapabilities, observedSyscalls []string, execs map[string][]string, opens map[string]mapset.Set[string], endpoints map[string]*v1beta1.HTTPEndpoint, rulePolicies map[string]v1beta1.RulePolicy) {
+func EnrichApplicationProfileContainer(container *v1beta1.ApplicationProfileContainer, observedCapabilities, observedSyscalls []string, execs map[string][]string, opens map[string]mapset.Set[string], endpoints map[string]*v1beta1.HTTPEndpoint, rulePolicies map[string]v1beta1.RulePolicy, imageID, imageTag string) {
+	// add image metadata
+	container.ImageID = imageID
+	container.ImageTag = imageTag
+
 	// add capabilities
 	caps := mapset.NewSet(observedCapabilities...)
 	caps.Append(container.Capabilities...)

diff --git a/pkg/utils/applicationprofile_test.go b/pkg/utils/applicationprofile_test.go
@@ -43,21 +43,21 @@ func Test_EnrichApplicationProfileContainer(t *testing.T) {
 	var test map[string]*v1beta1.HTTPEndpoint
 
 	// empty enrich
-	EnrichApplicationProfileContainer(existingContainer, []string{}, []string{}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{})
+	EnrichApplicationProfileContainer(existingContainer, []string{}, []string{}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{}, "", "")
 	assert.Equal(t, 5, len(existingContainer.Capabilities))
 	assert.Equal(t, 2, len(existingContainer.Execs))
 	assert.Equal(t, 5, len(existingContainer.Syscalls))
 	assert.Equal(t, 0, len(existingContainer.Opens))
 
 	// enrich with existing capabilities, syscalls - no change
-	EnrichApplicationProfileContainer(existingContainer, []string{"SETGID"}, []string{"listen"}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{})
+	EnrichApplicationProfileContainer(existingContainer, []string{"SETGID"}, []string{"listen"}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{}, "", "")
 	assert.Equal(t, 5, len(existingContainer.Capabilities))
 	assert.Equal(t, 2, len(existingContainer.Execs))
 	assert.Equal(t, 5, len(existingContainer.Syscalls))
 	assert.Equal(t, 0, len(existingContainer.Opens))
 
 	// enrich with new capabilities, syscalls - add
-	EnrichApplicationProfileContainer(existingContainer, []string{"NEW"}, []string{"xxx", "yyy"}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{})
+	EnrichApplicationProfileContainer(existingContainer, []string{"NEW"}, []string{"xxx", "yyy"}, map[string][]string{}, map[string]mapset.Set[string]{}, test, map[string]v1beta1.RulePolicy{}, "", "")
 	assert.Equal(t, 6, len(existingContainer.Capabilities))
 	assert.Equal(t, 2, len(existingContainer.Execs))
 	assert.Equal(t, 7, len(existingContainer.Syscalls))
@@ -67,7 +67,7 @@ func Test_EnrichApplicationProfileContainer(t *testing.T) {
 	opens := map[string]mapset.Set[string]{
 		"/checkoutservice": mapset.NewSet("O_RDONLY", "O_WRONLY"),
 	}
-	EnrichApplicationProfileContainer(existingContainer, []string{"NEW"}, []string{"xxx", "yyy"}, map[string][]string{}, opens, test, map[string]v1beta1.RulePolicy{})
+	EnrichApplicationProfileContainer(existingContainer, []string{"NEW"}, []string{"xxx", "yyy"}, map[string][]string{}, opens, test, map[string]v1beta1.RulePolicy{}, "", "")
 	assert.Equal(t, 6, len(existingContainer.Capabilities))
 	assert.Equal(t, 2, len(existingContainer.Execs))
 	assert.Equal(t, 7, len(existingContainer.Syscalls))